Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

ndogg writes "Mozilla is considering pulling TeliaSonera from its list of root certificate SSL providers. They have asked for comments on this on their mailing list. They're concerned about the use of the certificates by those governments for spying on its citizens, particularly in Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan — where TeliaSonera operates subsidiaries or is heavily invested. Mozilla's concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites — so-called man-in-the-middle attacks — and decrypt web traffic. This alleged activity would contradict Mozilla's policy against 'knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates.'"

Considering how the US government is positioned for playing MITM games, and that is putting laws to require information and actions from internet providers of critical services, is tempting at the very least. But having such aggresive player in the middle of the field maybe is better to just close your eyes and just put a token warning in a page tham trying to fix it, just will put more in evidence how broken is everything now.

FWIW, I don't thing ANY of the certificate issuing authorities are trustworthy. This doesn't mean that some aren't worse then others, and it might make sense to revoke the trust you have given to some of the worst actors, if you can do so without TOO much cost to yourself. If nothing else it would ensure that the infrastructure is in place to do the revokation. And it would encourage the weaker authorities to avoid being excessively vile.

Lets put it this way. Already the US security agencies have access, and is actively using it, to google/facebook/twitter and so on information, no need to get into the encrypted communication. But what about other sites, specially the ones not hosted in US but that could use certificates to encrypt communication? If don't have already pretty broad (i.e. to *.com) or reissued certificates, will start to ask for them pretty soon.

In the other hand, not trusting any certificates from any US based company will

I use certificate patrol. It basically warns you if a cert has changed suspiciously, or if the CA has changed.

It's flawed in that it only remembers one cert per domain for comparison and nowadays for whatever reasons companies like facebook and Google often use different certs signed by different CAs for the same domains and spread the load/connections amongst them. So you can get more warning prompts than you'd want.

This doesn't mean the concept is broken though, just that Certificate Patrol's particular implementation has room for improvement.

The desired case is, if at home you decide that the different certs you get from gmail or facebook are OK (and told the plugin to ignore them), then go to some foreign country and suddenly you get certs that are signed by TeliaSonera, you'd get a warning message and you'd know that something was up and choose not to login.

Same goes for logging in to your bank/corporate site while on a business trip to China. If the cert changes unexpectedly - from being signed by say Equifax to being signed by CNNIC, you should get a warning too.

I would argue that anyone logging in to their corporate site from China without using a VPN with a self-signed certificate is doing it wrong. Hell, I'm going on holiday to Australia later in the year and I'm setting up a VPN to my home network so I can use email etc without worrying about my credentials being lifted by any local agency. I know it's a little much for most home users, but for anyone with even an inkling of tech knowhow or a corporate user it should be mandatory.

Hell did any government official go to jail for the Gulf Of Tonkin false flag which cost 58,000 Americans their lives? How about for Fast & Furious which handed drug cartels weapons by the truckload and killed at least one border agent and countless civilians?

Frankly the US government is just as nasty and corrupt as the rest, read general Butler's "War is a racket" speech sometime. That speech is nearly a century old and could have been taken from the current papers, wars all over the place for the benefit of a few rich people and corps, if the US gov told me it was raining outside? I'd want a second opinion.

Smedley Butler was, if not an outright Communist, at least a fellow traveller. His views on American's wars of the era are therefore tainted by the particular ideology that gripped him at that time, and he was not a dispassionate commentator.

"As nasty and corrupt as..."... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?

Care to revise your bullshit story?

For all of America's, the American government's, and its leaders' flaws - and of course they are many (and one wonders how your life would stand up upon the withering criticism and examination that the life of a President, for example,

I don't understand what you mean. I was referring to the way it seems popular to villify the U.S. nowadays, ignoring the good things the U.S. has done and continues to do. Yes, Eisenhower spoke about that, and he may have been right.

But I think you missed the GP's point. It's easy to criticize the status quo, because it's far, far from perfect, just, or fair. The problem is that there is no viable alternative. Communism and socialism and fascism all failed, because they are rotten at their core. Capit

So because Stalin was a dick, the feds are...what? Given a free pass because "Hey they ain't beating me with a tire iron herpa de derpa". That is about the DUMBEST fucking argument I have EVER read, and since we are talking about the net that is a pretty mean feat...congrats. Oh I noticed you didn't have the balls to have a UID, kinda sad when you don't even have the balls to stand behind your bullshit, maybe because even you could see the problems with it?

Oh I noticed you didn't have the balls to have a UID, kinda sad when you don't even have the balls to stand behind your bullshit

As opposed to Mr. Hairyfeet of 4 Riverside Drive, Boston who risks his political career whenever he posts?

Yeah it's more credible when there's a tag associated, but it's not taking balls to log in and create an account. I could post any amount of heinous shit myself and walk away with my life working just perfectly.

And again your argument boils down to "Its okay that they raped me because if it would have been the other bunch they would have fisted me as well"...and you HONESTLY can't see the fault with that logic? this isn't a popularity contest, how many around the world have DIED by direct involvement of the US government since 1960?

And as for the other guy...who in the fuck would think I'm from Boston? that ain't even in the same timezone first off, and second if you are too God damned lazy to even spend the 3 w

I am not saying anything about what is OK, and I think much of what the US government is doing and have done is very far from OK.

But that was not what we were discussing. You said that the US government was "as nasty and corrupt as the rest", the AC pointed out some examples that he felt was worse while acknowledging that the US did have its own problem, and you interpreted that as giving the US a free pass. I pointed out that that was not what the AC said, and you have now accused ME of saying everything

[...] original comment said "Frankly the US government is just as nasty and corrupt as the rest[...]", against which examples of other, worse regimes is a quite effective argument.

Let's deconstruct that argument, shall we?

The AC gave a list of 8 regimes, with three of the examples constituting of dead ex-leaders.So, considering regimes ranging from 1917 (Example #4: USSR under Lenin) until today, given that we currently have over 200 countries and the tumultuous nature of the past century, a conservative estimate would be at least twice that number of distinct "regimes". I'm not a political historian, so I'll just take 400 as my estimate (feel free to correct me with hard data).

The 58,000 of you are nothing compared to the 400,000 civilians killed in a war that you had to use a false flag operation to start. What about them? What about the ongoing effects of what you left behind? My wife's cousin not only can't speak but has no concept of language because of the dioxins in the food chain. It really makes my blood boil when I see shit in the media that ignores the cost to Vietnam while making a big deal over the loss of American or Australian lives, or the effects of agent oran

"As nasty and corrupt as..."... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?

Care to revise your bullshit story?

For all of America's, the American government's, and its leaders' flaws - and of course they are many (and one wonders how your life would stand up upon the withering criticism and examination that the life of a President, for example, gets) - I believe very few of our leaders have ever had a genuine desire to harm people nor have they harbored a profound megalomania. Ego - of course; megalomania - no. Sure, go ahead and despise a President because of their ideological orientation that you disagree with but the notion of the Chomskyites, this strange Kool-Aid they like to guzzle, being fed doses of pablum about "American Imperialism" and the "Military-Industrial Complex" and railing endlessly about the "Evils of Capitalism" yet enjoying its countless benefits (you know, like jobs, homes, clothes, electronics, computers, global air travel, and this weird little thing called the Internet), never proffering a meaningful let alone viable alternative, I am convinced is one of the luxuries provided by the American model of capitalism and Constitutional governance. Trust me if you were to write what you wrote about Mugabe your flesh-burned and -torn body (they wouldn't spend a bullet on you, lest they lose out on a good opportunity to torture you first) would soon be found on the roadside somewhere.

And, if you despise America, think it hopelessly corrupt and nasty "as the rest" then why not leave it for greener pastures? Maybe some other country has it figured out better than we do? According to Michael Moore, Cuba has the best medical care in the world. Just ask Hugo Chavez.

You are probably under 30, since it would appear you don't understand what USA was 30+ years ago and why people see USA as horribly horribly corrupt country.

But of course, your short life experience and Wikipedia make you competent to bleath about anything you wish.

OK, what's so different about the US nowadays? US involvement in Iraq and Vietnam seems rather similar to me - authorization gained by deceit, winning all the battles but still floundering, lasting longer than WWII did (assuming the common 1939 start date), hurting a lot of innocent civilians. Slightly earlier, anti-communist witch hunts had been the demonization of the day, and during the Vietnam War the FBI infiltrated a lot of peaceful anti-war groups in an attempt to discredit them. I think I unders

The countless US invasions, the protection of dictators like Noriega, Pinochet and even Saddam just because (at their opinion its the less of two evils), the support of Islamic groups like the Taliban, etc, etc. Even today, with the CIA torture jails, Halliburton corruption, wall street and banks frauds show that you have nastiness and corruption all over the top US government and companies.

"As nasty and corrupt as..."... China under Mao? Venezuela under Chavez? Cuba under Castro? The USSR under Lenin and Stalin? Cambodia under Pol Pot? The NPRK under the various Kims? Zimbabwe under Mugabe? Zaire/the Congo under Mobutu?

Are you trying to say that, if we rank all regimes in modern history by their level of corruption, the current US one would be in, what, 9th place?

Wow...congrats to the old dude, you sir pretty much demolished that argument with a couple of well written sentences, bravo sir. I guess I'm a little too passionate to pull something similar off, I was raised with a deep love of individual freedoms and all the jack booted bullshit we've seen for quite awhile really burns me up.

In fact the only thing that will piss me off quicker is the "you better love Murrica or GTFO" crowd because they make it clear the US government could slaughter brown and yellow pe

The whole point of certificates and SSL is to protect communications between the browser and the web server. It's not "to protect communications from everyone except the government". It's to protect it from EVERYONE - including (and sometimes especially) the government.

There most certainly is a "good or bad" - your own assertion that every government in the world is corrupt supports that, in fact. I have no idea why you went on the anti-US rant there, but whatever.

The issue to discuss is the difficult position that Mozilla finds itself in now: an intentional and self-imposed obligation to act when cert authorities are compromised coupled with the unintended consequence of now having to decide if a Sovereign nation, acting legally within its own jurisdiction, constitutes a

It's hardly a country that loves freedom if it regulates people's personal lives like this.

It's a federal country. You have the freedom to leave a state that doesn't respect your freedom for one that does.

How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?

Without taxation, there is no way to fund a court or police force. Without those, there is no way to enforce the laws against a private citizen using force or fraud to coerce another private citizen. Or what am I missing?

You do realize that the idea of taxes is to pay for things that everyone uses, but would be infeasible to be run by private entities. This so called extortion you speak of is basically making you pay for that which you use. i.e. not stealing it. Any sane individual has no problem with paying taxes for public services, the disagreement comes into what should be a public service and what should not.

And you're statement on fraud confirms you do not know what fraud is. I may not know everything the government does with the money I give them, but I do know that it's not swindled from me, and I do know what a lot of it goes towards. Fraud would be being told you're paying for one thing, then either not getting it at all, or getting something very different, and worth much less.

And everything is pro-freedom except when it's not. I expect to be free to do what I want, except when it violates the freedoms of other people. I don't expect to have the freedom to get in my car drunk off my ass and drive down the road. That endangers the freedom of other people to exist.

You, sir, are either not a Libertarian or you represent the 1% of the party that is actually rational.

Here's what I hear all the time from Libertarians I have known.
ALL taxes are evil. Well, OK, maybe it's necessary to pay something just to support the military so China/Russia/whoever won't invade us.
There's NOTHING that the government does that private industry can't do better and cheaper. NOTHING.
Most of the taxes paid are wasted on a bloated government.
If government didn't do anything ex

There are other ways of raising funds without resorting to extortion. Donations and lotteries come to mind.

A lottery is a tax on being bad at math. Where does law enforcement get its funding once people become no longer bad at math?

You're missing the fact that in order to prevent one citizen from using force or fraud against another citizen, the state must use force and fraud against all citizens.

As for force, in this imperfect system of things, it is impossible to reduce total force and fraud to zero. The job of a tax-funded police force is to minimize the use of force. The job of a lot of other tax-funded services is to minimize situations that lead to poverty because desperation to survive is itself known to lead to the use of force. As for fraud, the laws are on the books

There are other ways of raising funds without resorting to extortion. Donations and lotteries come to mind.

A lottery is a tax on being bad at math. Where does law enforcement get its funding once people become no longer bad at math?

A lottery is not a tax when partaking is voluntary. Other funding mechanisms include charity and user charges.

You're missing the fact that in order to prevent one citizen from using force or fraud against another citizen, the state must use force and fraud against all citizens.

As for force, in this imperfect system of things, it is impossible to reduce total force and fraud to zero. The job of a tax-funded police force is to minimize the use of force. The job of a lot of other tax-funded services is to minimize situations that lead to poverty because desperation to survive is itself known to lead to the use of force. As for fraud, the laws are on the books for all to see. Please explain what you meant by government use of fraud against citizens.

I don't think the state should protect people from themselves or from nature. That's what the community is for, via voluntary means. The state should only protect people from other people.

I consider forcing someone to hand over their money using a threat of force to be a form of fraud. It may not be the best use of the word, but either way it's unethical and should be illegal.

A child cannot afford to pay for anything. Should children whose parents die starve to death?

A child would have a guardian. Adults are responsible for children, not feeding them would be tantamount to abusing them. If a child has no parents then someone would adopt that child. There are a lot of people out there that would be willing to do this.

Would you let a child starve? I wouldn't. Freedom is about caring for other people around us, and acting to help them. Not because we are forced to but because it's the right thing to do.

I would help to fund a police force that protects my neighbour even though my neighbour would not. It's in my best interests to do so. [...] But they don't get to use any services that they do not pay for.

So how should the police determine at a glance who has subscribed and who has not?

It's hardly a country that loves freedom if it regulates people's personal lives like this.

Balderdash. Anyone can live with whomever he wants and can make whatever kind of promises or agreements he wants with whomever he wants. The government not giving a slip of paper endorsing or verifying their private decisions is not a form of regulating their personal lives--it's the opposite! It's refusing to be involved in it! How much more freedom do you require than lack of involvement?

And yet those taxes are still there. How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?

You're being silly. Every nation in the world has taxes, and no nation could exist with zero taxes. Taxes have be

It's hardly a country that loves freedom if it regulates people's personal lives like this.

Balderdash. Anyone can live with whomever he wants and can make whatever kind of promises or agreements he wants with whomever he wants. The government not giving a slip of paper endorsing or verifying their private decisions is not a form of regulating their personal lives--it's the opposite! It's refusing to be involved in it! How much more freedom do you require than lack of involvement?

Then why all this fuss about gay marriage? Why is bigamy illegal? Laws that criminalise those things restrict personal liberties.

And yet those taxes are still there. How can the US be pro freedom if it actively harms people by confiscating property off them using a threat of force?

You're being silly. Every nation in the world has taxes, and no nation could exist with zero taxes. Taxes have been around as long as death. Your argument is preposterous and irrational.

Just because all nations have taxation does not mean that it is impossible for a nation to exist without it. Just because taxation has been around for a long time doesn't mean it's not an infringement on our liberties.

I can't - but that doesn't mean (in any way at all) that the US is the bastian[sic] of freedom. It's not. Your government removes and dilutes your freedoms far too much.

All governments do--that's their basic function. Only by the vigilance of its citizens does a nation preserve its liberty.

The basic function of government should be to protect people from harm. They shouldn't be the ones doing the harming.

Thankfully, our basic rights which allow us to be vigilant are enshrined in our founding documents, a claim which few nations can make.

Is the US perfect? Hardly. Is it getting worse? Perhaps. Is there any freer nation? No.

But, hey, bashing America is easy and popular, so why not join the mob?

It's hardly a country that loves freedom if it regulates people's personal lives like this.

Balderdash. Anyone can live with whomever he wants and can make whatever kind of promises or agreements he wants with whomever he wants. The government not giving a slip of paper endorsing or verifying their private decisions is not a form of regulating their personal lives--it's the opposite! It's refusing to be involved in it! How much more freedom do you require than lack of involvement?

Then why all this fuss about gay marriage? Why is bigamy illegal? Laws that criminalise those things restrict personal liberties.

That's a good question. Originally I'm sure it goes back to something like common law or colonial values, i.e. moral values. From a practical standpoint, it probably exists to protect women from men who would marry a woman and then marry another woman, perhaps even secretly; this could go on and on, as he abandons each one for the next. When those laws were written or assumed, women could not as easily suvive independently. It really hasn't been that many years since marriage and family was a basic nece

Yes your taxes are low because you have poor people living in misery! People who wants to live good, doesn't live in USA, you live in propaganda, in bubble where poor people are to be ignored and not to be taken care of. There are loads of better countries, I am from scandinavia in from our point of view, USA seems more like third word dictatorial country than rich democratic country... you should try to live somewhere else sometimes...

There are many places in America where gays can marry, and more states are considering it. We are moving in the right direction.

The same group that pushes for gays to marry also presses the hardest to outlaw polygamy, and 1-on-1 marriage between biological adults. The latter even carries massive prison sentences, and at least brands you for life.

More to the point, ownership is not a right that can be defined in the absence of government....and here "government" has to be defined as "use or threat of overriding force".

Note that in this sense social animals have government, so it's broader than the normal use of the term.

For that matter, I equate "natural right" to "evolutionarily stable strategy", which means that it alters with the environment, and isn't something stable. It's also worth remembering that "money" is a government invention (King Cyr

You were making sense, until you wrote that bit of drivel. Yes, child, there really IS good, and there really IS bad. I can agree with you that the US government often doesn't know the difference. I can agree that the US government is in no position to be the final arbiter of good and bad. But, there really are evil sumbitches in the world. A significant number of them occupy positions of power.

Instead of trusting any of these companies (they'll sell to the US government as well, I'm sure), why not switch to Convergence [wikipedia.org]? It reduces the need to trust companies like this.

Mozilla (and Google, and other browser makers) should include it by default in all their products (even if turned off) to make it easier for people to switch away from centralised systems. Viva le revolucion.

Proper DNSSEC uses a single trust anchor for the root "." that can validate the delegated registries (com., net., uk., fr.). DLV registries were a hack until the root zone got signed, which has now happened.

For DNSSEC to work you need to validate the responses of signed zones and you need to trust their corresponding registries (for.com Verisign). The person signs their zone (example.com) and pushes their public key up to Verisign in the form of DS record. The registry can remove the public key, causing th

It's not some entity other than the one who's already directing you to the website. Presumably if it were easier to redirect at the DNS level as opposed to MITMing and getting a fake certificate, people would be doing that instead. It also makes any compromise much more visible and reduces the number of people you need to trust absolutely.

In the current situation, to impersonate a SSL protected site you need to MITM in some way (e..g DNS spoofing), and get a valid certificate for the domain. So you have to at least attack two different security measures (even if MITM is simple for some entities).

If certificate info is published in DNSSEC you need to compromise only one place to achieve both MITM and add fake certificates. Sure it might be harder, but if this method was used, I

A great feature of Convergence is the ability to have multiple signatures. HTTPS needs this too. Imagine the current scenario where gmail regularly has 25 signors on its certificate and then one day there is only one. With something like EFF's HTTPS Everywhere SSL Observatory, this could be flagged.

But, switching TLS signing to PGP is a big deal and not backwards compatible. What I'd like to see (somebody else do this so I don't have to) would be an extension that would allow multiple certificates to be

Mozilla still includes all kinds of questionable cert authorities. Once I learned that, I had to go through my default Firefox installs and remove all the ones by Chinese government arms and similar.

Why single out these countries? I will never need a cert signed by a foreign government - ANY foreign government. There are probably only about 5% of authorities I actually might trust included in Firefox. The rest are illegitimate for 99% of users.

That's a nice idea, but it doesn't really solve the underlying problem. Imagine that you're convinced that TeliaSonera is friendly to governments in Central Asia (as the story seems to imply). So it would make sense to trust them (a lot) to attest government-friendly identities in that region. But it would be silly to trust them (at all) for anything else.

In the end, trust in a CA has context. It's not enough to simply assign a number to convey how much you trust a particular CA; what you're really interest

While your point has merit, context is a really tricky problem. A weight is something simple and easy...and could be implemented without slowing things down much.

OTOH, I certainly feel that individuals shouls be able to adjust the weights easily.

Question: Should the CA be able to determine whether or not a particular site trusts them? If not, how do you indicate the amount of trust (since you don't want to just block)? Things get complicated quickly.

Oh yes? Please list them and link to a certificate provided by one of them which has been issued without the permission of the party it has reputedly been issued to. Specifics please. This is the criteria, more or less the only criteria, which makes a cert authority questionable. Otherwise you are just (correctly) questioning the CA system which doesn't do what you think it does.

But those Swedes (and Fines == Swedes in disguise... Or it's vice versa?) they are capable of anything. Just remember that Finish (his mother's tongue is Swedish, ha!) guy who invented Linux, and you will understand what they are capable of!

It's good to see browser maintainers recognizing that the browser is an essential - albeit uncertified - part of HTTPS authentication.

The preinstalled root certs have enormous leverage. If the validation of certificate requests performed by CAs is a known weak link in X.509, how much more so the point where those CAs are designated as trusted?

Thanks to the efforts of Mozilla, among others, we have a much more diverse browser ecosystem than even a few years ago. To some extent at least, the free market can decide which browser to use. I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression. And these difficult questions of policy and enforcement provide a chance for Mozilla to distinguish itself, which I think it's doing very ably.

I know that I'm more inclined to use a product that is squarely on the side of human rights than one which can be used as an instrument of oppression.

Then you may want to consider not using Mozilla. They're talking about pulling the certificate authority of a half dozen smaller countries on the suspicion that it has cooperated with those governments' lawful requests to monitor their citizens internet access. Or as it is called on slashdot, "spying." But here's the thing: There's no proof. It's just a suspicion... and it's a suspicion based on guilt by association no less.

So Mozilla is proposing forcing some of the people in these countries to use insecur

The willingness to hear about suspicions is a necessary part of gathering evidence, it's not a final assessment of evidence. "Talking about" doing something is a necessary part of due process, it's not the final outcome. If you don't understand these basic distinctions already, please give them some thought,

Speaking of weighing evidence, can you be a little more specific than a vague reference to "half a dozen smaller countries"? It's not possible to take such claims seriously. They certainly don't co

Speaking of weighing evidence, can you be a little more specific than a vague reference to "half a dozen smaller countries"? It's not possible to take such claims seriously. They certainly don't constitute grounds to think less of Mozilla, but they do raise doubts about you if this is your best way of establishing credibility. (And no, you can't date my daughter either, in case you were wondering. You're definitely not in her league.)

From the summary of the article: "Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan". And no, I wouldn't want to date your daughter, if she's got a personality anything like yours though, I can well imagine your desperation to find her someone.

Which is likely to be the source of trusted certificates for locally-provisioned HTTPS. Sure, no one's hijacking connections to US sites, but a local-language and locally-sited Google or Facebook or Twitter could be fair game.

Why doesn't everyone use SRP [wikipedia.org] instead?- User proves it has password without divulging any data.- Man in the middle obtains zero information.- Generates encryption key for rest of the connection.

In order to prevent active attacks, you need something to base the trust off of. In SSL, CAs are used, which is quite questionable because there's a lot of them with lots of different possible influences. In SRP, a shared secret (in the form of a password entered by the user) is used. That requires (1) somehow prearranging a shared secret and a related (2) a way of handling the user losing that shared secret. It seems like a good idea for applications like banking where you have a pre-existing relationship

In this particular instance, you actually want to say "password" of the person - it's actually right there in the protocol name - but yes. SRP is fantastic for situations where you want to authenticate over an unsecured connection. It is incapable of handling registration over such a connection though, unless there's somebody else's password you use first to establish a secure channel. This means it is not a viable replacement for SSL/TLS in common web usage.

Interesting discussion on the Mozilla forum. In light of the information so far, it seems like it would be difficult for Mozilla to keep TeliaSonera as trusted and not lose face. It will be interesting to see what kind of implications this has going forward in regards to dealing with other CAs that have practices or relationships that might fall into the similar shady areas as TeliaSonera. There are some forum posts mentioning that maybe Cybertrust (acquired by Verizon - known for participating in surve

If there are Authorities you do not need in the browser list, how do you choose which ones to untrust? What if you only use https with a few sites, should you just look at the information and whitelist only those?

Firefox works from a list thats different than Chrome. I assume that there is another list again for people writing software for https connections. Maybe thats why I see the ssl libraries updating on my machine? If this is broken, then why is there not software available to "tune it" or test it so that it can be made to work?Can the web server see what Cert you used? Can they tell that a fake cert was used? Maybe it should draw a warning on your pages that the cert authority had no business issuin

If they follow through with it, and if the other browser makers follow them, then you won't have to worry about it.

A CA's business is all based on trust. As soon as they're known to be untrustworthy then they're dead. Well, for any commerce or banking site at least. I expect the governments to still use them though. Even being suspect is enough to drive business away.

What we need is browsers pushing DNSSEC. Users are trained to look for the green padlock. If you display it as say yellow for a secure s

US, Canadian and European governments also spy on their citizens. So Mozilla now needs to determine whose spying is good and whose spying is bad. I'm not sure that's a business that Mozilla should be in.

Perhaps a better solution would be to make it easier and more user friendly for people to detect questionable certificates and choose which certificates you trust. But, of course, that would upset Western governments...